On Sat 14 May 2022 at 14:02:36 (+0100), Brian wrote: > On Sat 14 May 2022 at 12:02:49 -0000, Curt wrote: > > On 2022-05-14, <to...@tuxteam.de> wrote: > > > On Sat, May 14, 2022 at 08:58:37AM -0000, Curt wrote: > > > > > > [...] > > > > > >> What about data breaches, and sites keeping your password > > >> in plain text (though it seems access to the cryptographically hashed > > >> passcodes is already a pretty good leg up)? What good is our entropy > > >> then? > > > > > > As stated elsewhere: unique passwords. Don't use a password you're using > > > elsewhere. Much less so with a site you don't trust. > > > > As always, I'm very uncertain where your goal posts are placed or what > > tacit agenda you're following. No one has advocated the use of unique > > passwords. > > > > In my plausible scenario, you're password entropy counts for nothing. > > Your password, unique or otherwise, has been compromised. 2FA would > > prevent illegal entry to your account in this case. The subject we're > > addressing here is your assertion that 2FA adds no extra security. I > > have demonstrated that it does. > > Preventing data breaches are outside the scope of the user, providing > a high entropy password is not. If accessing a site is of importance > to him, then, in your plausible scenario, an eight character password > effectively gives little security. > > That is not an argument for 2FA but for a user having a responsible > password policy to guard agains such breaches.
Preventing data breaches might be outside my control, but mitigating their effect might not be. So I like to have 2FA set up as entering a code in response to a phone call. There's some peace of mind in my /not/ receiving any of those calls unless /I/ try to login. Were it to ring unexpectedly and I heard a woman with a crisp British accent announce "Hello [pause] You have requested a code for logging in to your account; the number is one three fave [sic] seven nine nine; this code will expire in ten minutes", I would know something's afoot, and I've got some urgent calls to make. Cheers, David.